How to Conduct Customer Loyalty Programs that Comply with Data Privacy Laws
As part of their privacy laws, California and Colorado have included regulations on customer loyalty or rewards programs.
California’s law only regulates for-profit entities; it encompasses all financial incentive programs; it requires opt-in consent; and it requires a disclosure of the estimated value of collected data.
Colorado’s law regulates non-profit entities; it is focused specifically on loyalty programs; it does not require opt-in consent; it requires notice regarding third-party and partner access to data; and it has a defined process for requests to delete.
Both laws seek disclosure regarding categories of personal information that will be utilized.
Enforcement appears to be a priority for both states, as the Attorneys General in both California and Colorado have sent out warning letters to non-compliant businesses.
Businesses looking to increase customer engagement, incentivize purchases, and cultivate brand loyalty frequently utilize customer loyalty and rewards programs. One common loyalty program is a system in which customers enroll to earn points on their purchases from the business. The customer may be able to redeem their points for a discount on their next purchase, or receive exclusive offers and early access to new products after earning a certain amount of points.
Although the purchases made by loyalty program members are certainly a benefit to the business, the personal information that enrollees provide to companies in exchange for participation in the program is a significant motivation for many businesses to facilitate such programs.
When enrolling in a loyalty program, customers are typically required to provide their name and email address, and possibly phone number. They may also be asked to provide information about their product preferences, such as how often they make purchases from that retailer, or whether they are generally purchasing products for themselves or others. Once the customer has enrolled, the business is able to collect and analyze data on the customer’s purchase history, and assess the effectiveness of the purchase incentives the business offers. This data can be a valuable tool for businesses in determining their marketing strategies.
To the extent that the business is subject to state data privacy laws, consumer data collected in connection with the loyalty program would be subject to the general requirements of the relevant state data privacy laws. In addition, the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), and the Colorado Privacy Act (“CPA”) set forth specific requirements for conducting and maintaining loyalty programs. While both laws uniquely target loyalty programs, the laws go about it in different ways.
Businesses that are subject to loyalty program requirements in both states should determine whether their programs are in compliance with data privacy laws; if not, businesses should consider whether they prefer to create a broader loyalty program policy that incorporates the Colorado and California law, or prefer to create individual policies for each state.
Below is a breakdown of each law and how it incorporates legal requirements around loyalty programs.
California Consumer Privacy Act
Who is subject to CCPA?
The CCPA applies to for-profit entities doing business in California that have $25 million annual revenue, derives 50% of their annual revenue from selling personal information, or process 100,000 California consumers’ personal information, and control the collection of a consumer’s personal information. “Consumer” includes business contacts and employees.
What is a loyalty program under CCPA?
The CCPA uses the broader term of a “financial incentive” which is defined as any program, benefit, or other offering, including payments, to consumers, for the collection, retention, or sharing of personal information. Financial incentives include loyalty programs, and loyalty programs have certainly been a major focus of enforcement by the California Attorney General so far. However, financial incentives also include discounts, free items, or other rewards that a business provides to consumers in exchange for the consumers’ personal information.
What is required for compliance?
The CCPA requires data controllers to obtain a consumer’s opt-in consent to the program’s material terms. Certain consumer disclosures are also required, including: 1) a summary of price or service differences offered under the loyalty program, 2) the categories of personal information that will be collected and used, 3) how a consumer can opt-in to the program, 4) how the consumer can opt-out of the program, 5) an explanation of how the use of personal information is related to the loyalty program, and 6) an estimate of the value of the personal information collected and the methods used by the controller to calculate such value.
The CCPA regulations state that loyalty programs fall within one of the data deletion exceptions set forth in the CCPA. When a consumer who is enrolled in a loyalty program submits a data deletion request but states that they want to remain enrolled in the program, the business may deny their request because the data is reasonably necessary for the business to provide the loyalty program requested by the consumer and is reasonably anticipated within the context of the business’s ongoing relationship with the consumer. The CCPA does not provide specific timing and response requirements for consumer requests to un-enroll from the program or have their personal information deleted.
What are the penalties for non-compliance?
California has demonstrated that it is placing a high importance on companies’ compliance with the CCPA loyalty program requirements. In January 2022, California Attorney General Rob Bonta sent enforcement letters to several businesses in the retail, home improvement, travel, and food services industry cautioning that their loyalty programs were not in compliance with the CCPA. While the CCPA originally contained a cure period for violations, the cure period was eliminated with the implementation of CPRA in January 2023. Going forward, businesses that receive enforcement letters could be immediately subject to injunctions and civil penalties of up to $2,500 for each violation and up to $7,500 for each intentional violation.
Colorado Privacy Act
Who is subject to CPA?
The CPA applies to companies that control or process the personal information of 100,000 Colorado consumers in a year, or sell personal information and processes the personal information of 25,000 Colorado consumers in a year. “Consumer” does not include an individual acting in a commercial or employment context.
What is a loyalty program under CPA?
The CPA Regulations define a “Bona Fide Loyalty Program” as any loyalty, rewards, premium feature, discount, or club card program that is established for the genuine purpose of providing loyalty program benefits to consumers to voluntarily participate where the primary purpose of data processing in connection with the program is to provide loyalty program benefits. Loyalty program benefits include an offer of superior price, rate, level, quality, or selection of goods or services and may be provided to the consumer directly by the data controller or through a loyalty program partner. In contrast to the CCPA definition of a loyalty program, this definition focuses on traditional loyalty and rewards programs where consumers enroll in the program in order to receive points or rewards and would not encompass more general marketing programs, such as marketing email lists that provide coupons or discounts to consumers.
What is required for compliance?
There is no opt-in consent required under the CPA, unlike the CCPA. However, consumers still must voluntarily agree to be enrolled in any loyalty programs. Consumer consent is required for any secondary source’s use of personal information, as well as any processing of sensitive data in connection with the loyalty program. “Sensitive data” includes personal information revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data that may be processed for the purpose of uniquely identifying an individual, and the personal information of a known child.
Notices must be provided when consumers register for the loyalty program. These notices must include the following: 1) the categories of personal information or sensitive data that will be sold or utilized for targeting ads, 2) the categories of any third parties that will receive personal information or sensitive data, 3) any loyalty program partners, and 4) the program benefits provided by each program partner.
If a consumer requests that their personal information be deleted, the business must respond 24 hours prior to revocation of loyalty program with an explanation of how it will fulfill the request. If the business states that deleting the data as requested will require them to revoke the loyalty program, an explanation of the reasoning underlying this decision must be provided. Any claim that suggests personal information is required for access to a loyalty program must be supported by an explanation. Further, the business must continue to offer the consumer any benefits that do not require the business to process personal information. The CPA emphasizes that a business should not condition loyalty program membership on use of personal information if the personal information not required to actually operate the loyalty program.
What are the penalties for non-compliance?
Unlike the CCPA, the CPA contains a 60-day cure period for violations. However, as the cure period will sunset on January 1, 2025, businesses should ensure that their loyalty programs are on track to reach compliance by the sunset date. Colorado Attorney General Phil Weiser sent a series of letters to businesses within two weeks of the CPA going into effect stating that the Colorado Department of Law will begin enforcing the recently enacted Colorado Privacy Act. This signals that Colorado is taking these regulations seriously and plans to enforce them. Penalties are steep, as businesses are subject to fines up to $20,000 per violation for non-compliance.
If you have a business operating in California or Colorado, consider whether your business is subject to these loyalty program regulations, especially as California and Colorado have made their intent to enforce the regulations clear. Koley Jessen will continue to monitor developments and enforcement actions related to loyalty program regulations. If you believe your business may be subject to these requirements, please contact one of the specialists in Koley Jessen’s Data Privacy and Security team.
*Special thanks to summer associate Emily Tlapek for her contributions to this article.